Filtered by vendor Openstack
Subscribe
Total
253 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-1881 | 1 Openstack | 1 Image Registry And Delivery Service \(glance\) | 2023-12-10 | 4.0 MEDIUM | N/A |
| OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them, a different vulnerability than CVE-2014-9684. | |||||
| CVE-2015-1195 | 1 Openstack | 1 Image Registry And Delivery Service \(glance\) | 2023-12-10 | 6.5 MEDIUM | N/A |
| The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493. | |||||
| CVE-2014-3621 | 3 Canonical, Openstack, Redhat | 4 Ubuntu Linux, Keystone, Enterprise Linux and 1 more | 2023-12-10 | 4.0 MEDIUM | N/A |
| The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field. | |||||
| CVE-2014-5253 | 2 Canonical, Openstack | 2 Ubuntu Linux, Keystone | 2023-12-10 | 4.9 MEDIUM | N/A |
| OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain. | |||||
| CVE-2014-3594 | 2 Openstack, Opensuse | 2 Horizon, Opensuse | 2023-12-10 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name. | |||||
| CVE-2014-0157 | 2 Openstack, Opensuse | 2 Horizon, Opensuse | 2023-12-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Horizon Orchestration dashboard in OpenStack Dashboard (aka Horizon) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to inject arbitrary web script or HTML via the description field of a Heat template. | |||||
| CVE-2014-7144 | 1 Openstack | 2 Keystonemiddleware, Python-keystoneclient | 2023-12-10 | 4.3 MEDIUM | N/A |
| OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate. | |||||
| CVE-2013-2104 | 1 Openstack | 1 Python-keystoneclient | 2023-12-10 | 5.5 MEDIUM | N/A |
| python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires. | |||||
| CVE-2014-5251 | 2 Canonical, Openstack | 2 Ubuntu Linux, Keystone | 2023-12-10 | 4.9 MEDIUM | N/A |
| The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token. | |||||
| CVE-2014-9623 | 2 Openstack, Redhat | 2 Image Registry And Delivery Service \(glance\), Openstack | 2023-12-10 | 4.0 MEDIUM | N/A |
| OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting an image in the saving state. | |||||
| CVE-2015-1852 | 2 Canonical, Openstack | 3 Ubuntu Linux, Keystonemiddleware, Python-keystoneclient | 2023-12-10 | 4.3 MEDIUM | N/A |
| The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144. | |||||
| CVE-2014-2828 | 1 Openstack | 1 Keystone | 2023-12-10 | 7.8 HIGH | N/A |
| The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka "authentication chaining." | |||||
| CVE-2013-6396 | 1 Openstack | 1 Swift | 2023-12-10 | 5.8 MEDIUM | N/A |
| The OpenStack Python client library for Swift (python-swiftclient) 1.0 through 1.9.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2014-3517 | 1 Openstack | 1 Nova | 2023-12-10 | 4.3 MEDIUM | N/A |
| api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests. | |||||
| CVE-2014-3555 | 1 Openstack | 1 Neutron | 2023-12-10 | 4.0 MEDIUM | N/A |
| OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (crash or long firewall rule updates) by creating a large number of allowed address pairs. | |||||
| CVE-2014-3641 | 1 Openstack | 1 Cinder | 2023-12-10 | 4.0 MEDIUM | N/A |
| The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header. | |||||
| CVE-2014-0105 | 1 Openstack | 1 Python-keystoneclient | 2023-12-10 | 6.0 MEDIUM | N/A |
| The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached." | |||||
| CVE-2013-6433 | 2 Canonical, Openstack | 2 Ubuntu Linux, Neutron | 2023-12-10 | 7.6 HIGH | N/A |
| The default configuration in the Red Hat openstack-neutron package before 2013.2.3-7 does not properly set a configuration file for rootwrap, which allows remote attackers to gain privileges via a crafted configuration file. | |||||
| CVE-2013-7048 | 1 Openstack | 1 Nova | 2023-12-10 | 3.3 LOW | N/A |
| OpenStack Compute (Nova) Grizzly 2013.1.4, Havana 2013.2.1, and earlier uses world-writable and world-readable permissions for the temporary directory used to store live snapshots, which allows local users to read and modify live snapshots. | |||||
| CVE-2013-4471 | 1 Openstack | 1 Horizon | 2023-12-10 | 5.5 MEDIUM | N/A |
| The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user. | |||||